Analysis

  • max time kernel
    156s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    18/11/2023, 01:25

General

  • Target

    NEAS.f83148f181f138db59182790125e3550.exe

  • Size

    1.1MB

  • MD5

    f83148f181f138db59182790125e3550

  • SHA1

    59af834bd5049062d03068977b90fdd60ab75516

  • SHA256

    8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

  • SHA512

    fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

  • SSDEEP

    24576:aADdteLS1VO6wLVqq0aJSw69voIN7y7Di0:8E86MVX/SwHmf

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.f83148f181f138db59182790125e3550.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
      "C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\153b8ef5-273b-46d5-ae29-78e40e0daa59.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
          C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1764
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37ceb387-1e95-46bf-9844-32115c4da22b.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3052
            • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
              C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1116
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4e4b355-29c6-4cf4-b92d-dfb043007ec3.vbs"
                7⤵
                  PID:1748
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ac5a03a-a28f-4b83-8abc-038eddb96300.vbs"
                  7⤵
                    PID:1672
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs"
                5⤵
                  PID:1088
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b00b66a6-165c-45e7-9f69-ffa465cde458.vbs"
              3⤵
                PID:848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2176
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\System.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2552
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2588
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Favorites\MSN Websites\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1208
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2876
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2880
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3000
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2556
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2480
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1052
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:684
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2824
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1492
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:292
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Push\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:772
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2092
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1736
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2940
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2420
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:548
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2064
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\spoolsv.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:836
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:648
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Recent\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550N" /sc MINUTE /mo 5 /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1136
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550" /sc ONLOGON /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1768
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "NEAS.f83148f181f138db59182790125e3550N" /sc MINUTE /mo 13 /tr "'C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1780
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2432
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1672
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1372
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1632
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:628
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3048
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2968
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:564
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2224
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:852
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1276

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Program Files\Windows Mail\en-US\lsass.exe

                  Filesize

                  1.1MB

                  MD5

                  e74fb4d109aa8dadacbd4d5e51a85bc9

                  SHA1

                  cfec51de0d7f03c1ee788a682a4e09c8d3f2d361

                  SHA256

                  593a24f68e9efcf094a4e61bad0d4a5285a9459013c836c7a4b3d528568335f9

                  SHA512

                  bf70a68c8c38818d931173acaf6f8bfc7e963196d14f03aad212f0ccd0a8bcca58f9ba3054e3c4d5c822820427ed6186df952dca008d98b8d838761b96244a36

                • C:\Users\Admin\AppData\Local\Temp\153b8ef5-273b-46d5-ae29-78e40e0daa59.vbs

                  Filesize

                  733B

                  MD5

                  8aa29192fd80fb01b4667f25d1c4918d

                  SHA1

                  f0aa7d140ddfbeb49c1f55daa6690617be3e7b37

                  SHA256

                  d26209861186cc05dcb87aa9cf18b0369dda4a529c2a38c8735e09d272a487bd

                  SHA512

                  3dc666f9f0fe0ad667ce1b2b1b5afc2136d3bac149a266b66c327379935651bc7110b344d711bff633a7a81ba62d34259aedcf79962d28ca432a5920a31791a7

                • C:\Users\Admin\AppData\Local\Temp\1ac5a03a-a28f-4b83-8abc-038eddb96300.vbs

                  Filesize

                  509B

                  MD5

                  9d68d443cc516cb82c5cf50559cf7f38

                  SHA1

                  3258da2b6228618529a945c5e9e04cefb1bceb9a

                  SHA256

                  d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51

                  SHA512

                  41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

                • C:\Users\Admin\AppData\Local\Temp\2ef5f5af7dd7205e68f812d2851aa03e2d8785cc.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Users\Admin\AppData\Local\Temp\2ef5f5af7dd7205e68f812d2851aa03e2d8785cc.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Users\Admin\AppData\Local\Temp\37ceb387-1e95-46bf-9844-32115c4da22b.vbs

                  Filesize

                  733B

                  MD5

                  2bc0184d1fcefa52a8b463e31611fc1e

                  SHA1

                  204d70abaf21ec62ca5986f2d662edcb71e5a898

                  SHA256

                  e526d1f7dab7031b70badc6a8726f0bad374edbdad45f4a565dfb706ad10a9df

                  SHA512

                  a7908657f21cbb8485c5e691d023efe6b7dcd02001f12ae0e99d565c551d32116c05fe62b568c9aa40718edc8875b7d1ced92a865b8722dbe8273c37d985e2c7

                • C:\Users\Admin\AppData\Local\Temp\b00b66a6-165c-45e7-9f69-ffa465cde458.vbs

                  Filesize

                  509B

                  MD5

                  9d68d443cc516cb82c5cf50559cf7f38

                  SHA1

                  3258da2b6228618529a945c5e9e04cefb1bceb9a

                  SHA256

                  d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51

                  SHA512

                  41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

                • C:\Users\Admin\AppData\Local\Temp\e4e4b355-29c6-4cf4-b92d-dfb043007ec3.vbs

                  Filesize

                  733B

                  MD5

                  7b9250e8560a0a07fb7d5358912eabaa

                  SHA1

                  f8cd47b79cbdc0d888a25fc1fdbafd7ff3a670d1

                  SHA256

                  5e4c2e2a5a6fb03daa0c7ffcd6cdcb33ff8151c512612563574905c74169a842

                  SHA512

                  2e4095f45ad6387b8e4e24c11369a4691a341204ae5f64b5a92f247c5f0fffdbac027ae1a8ba55a1998deb79521f5295f678e4dd74ac7dfcf36eb73fe8a108a3

                • C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs

                  Filesize

                  509B

                  MD5

                  9d68d443cc516cb82c5cf50559cf7f38

                  SHA1

                  3258da2b6228618529a945c5e9e04cefb1bceb9a

                  SHA256

                  d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51

                  SHA512

                  41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

                • C:\Users\Admin\AppData\Local\Temp\ee962708-473f-440e-b335-e0cd2841c6dd.vbs

                  Filesize

                  509B

                  MD5

                  9d68d443cc516cb82c5cf50559cf7f38

                  SHA1

                  3258da2b6228618529a945c5e9e04cefb1bceb9a

                  SHA256

                  d4e3ca64523e4f19fd162cfbdbf075b5ef9fe9333b7690da843eec566a8afd51

                  SHA512

                  41d2b06b7d301bfa0579d2bd30b0635c62aba1e0ec850d761a5cda40a711d1f0c0387149aed98b32a4d080f878c6afdbb821831ff8640dcdb6ffd4ff34445ddc

                • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • C:\Users\Public\NEAS.f83148f181f138db59182790125e3550.exe

                  Filesize

                  1.1MB

                  MD5

                  f83148f181f138db59182790125e3550

                  SHA1

                  59af834bd5049062d03068977b90fdd60ab75516

                  SHA256

                  8cfaca4031f29d40bd683e3cbaacf02b046005295aa6c30d3d832de486fc6f09

                  SHA512

                  fd80d6fb61eb34c7d4236ae44f96830c5f9eae72f477a7a9adce2b9eda5b2c0b9b6d9427e38e34f900395008b256a97fab2eb4d899dc395a7a59301d4e20e58f

                • memory/1116-224-0x0000000000D60000-0x0000000000E8C000-memory.dmp

                  Filesize

                  1.2MB

                • memory/1116-225-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1116-226-0x000000001B020000-0x000000001B0A0000-memory.dmp

                  Filesize

                  512KB

                • memory/1116-227-0x0000000000420000-0x0000000000432000-memory.dmp

                  Filesize

                  72KB

                • memory/1444-98-0x000000001B150000-0x000000001B1D0000-memory.dmp

                  Filesize

                  512KB

                • memory/1444-7-0x0000000000800000-0x000000000080A000-memory.dmp

                  Filesize

                  40KB

                • memory/1444-191-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1444-1-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1444-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

                  Filesize

                  512KB

                • memory/1444-3-0x00000000007E0000-0x00000000007FC000-memory.dmp

                  Filesize

                  112KB

                • memory/1444-4-0x0000000000240000-0x0000000000250000-memory.dmp

                  Filesize

                  64KB

                • memory/1444-5-0x0000000002170000-0x0000000002186000-memory.dmp

                  Filesize

                  88KB

                • memory/1444-6-0x0000000000450000-0x0000000000462000-memory.dmp

                  Filesize

                  72KB

                • memory/1444-8-0x00000000022A0000-0x00000000022AE000-memory.dmp

                  Filesize

                  56KB

                • memory/1444-70-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1444-0-0x0000000000810000-0x000000000093C000-memory.dmp

                  Filesize

                  1.2MB

                • memory/1764-208-0x000000001B170000-0x000000001B1F0000-memory.dmp

                  Filesize

                  512KB

                • memory/1764-206-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1764-209-0x0000000000290000-0x00000000002A2000-memory.dmp

                  Filesize

                  72KB

                • memory/1764-220-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1764-221-0x000000001B170000-0x000000001B1F0000-memory.dmp

                  Filesize

                  512KB

                • memory/1764-222-0x000007FEF4770000-0x000007FEF515C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/1764-207-0x00000000002C0000-0x00000000003EC000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2780-203-0x000000001AF00000-0x000000001AF80000-memory.dmp

                  Filesize

                  512KB

                • memory/2780-188-0x0000000001250000-0x000000000137C000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2780-189-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2780-190-0x000000001AF00000-0x000000001AF80000-memory.dmp

                  Filesize

                  512KB

                • memory/2780-204-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB

                • memory/2780-192-0x0000000000580000-0x0000000000592000-memory.dmp

                  Filesize

                  72KB

                • memory/2780-202-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

                  Filesize

                  9.9MB